From owner-p4-projects@FreeBSD.ORG Sun Sep 24 20:31:26 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id CD45516A47E; Sun, 24 Sep 2006 20:31:25 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ABA716A407 for ; Sun, 24 Sep 2006 20:31:25 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 369F943D6D for ; Sun, 24 Sep 2006 20:31:22 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k8OKVM69067855 for ; Sun, 24 Sep 2006 20:31:22 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k8OKVL4X067852 for perforce@freebsd.org; Sun, 24 Sep 2006 20:31:21 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 24 Sep 2006 20:31:21 GMT Message-Id: <200609242031.k8OKVL4X067852@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 106617 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Sep 2006 20:31:26 -0000 http://perforce.freebsd.org/chv.cgi?CH=106617 Change 106617 by rwatson@rwatson_zoo on 2006/09/24 20:30:27 Integrate OpenBSM 1.0 alpha 12 into TrustedBSD audit3 branch. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#14 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#14 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 integrate .. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 (text+ko) ==== @@ -1,3 +1,24 @@ +OpenBSM 1.0 alpha 12 + +- Correct bug in auditreduce which prevented the -c option from working + correctly when the user specifies to process successful or failed events. + The problem stemmed from not having access to the return token at the time + the initial preselection occurred, but now a second preselection process + occurs while processing the return token. +- getacfilesz(3) API added to read new audit_control(5) filesz setting, + which auditd(8) now sets the kernel audit trail rotation size to. +- auditreduce(1) now uses stdin if no file names are specified on the command + line; this was the documented behavior previously, but it was not + implemented. Be more specific in auditreduce(1)'s examples section about + what might be done with the output of auditreduce. +- Add audit_warn(5) closefile event so that administrators can hook + termination of an audit trail file. For example, this might be used to + compress the trail file after it is closed. +- auditreduce(1) now uses regular expressions for pathname matching. Users can + now supply one or more (comma delimited) regular expressions for searching + the pathnames. If one of the regular expressions is prefixed with a tilde + (~), and a path matches, it will be excluded from the search results. + OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the @@ -243,4 +264,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#15 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#16 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 (text+ko) ==== @@ -17,10 +17,7 @@ just at the beginning of a record. This will make it easier to use praudit in test suites processing single-token files without header and trailer context. -- Teach auditd how to notify a script when it is done with trail files so - that the script can archive them, compress them, delete them, whatever. - It should walk any trail files found at startup also, assuming it - successfully registers. - Put hostname in trail file name. +- Document audit_warn event arguments. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#11 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#14 (text+ko) ==== @@ -1,1 +1,1 @@ -OPENBSM_1_0_ALPHA_11 +OPENBSM_1_0_ALPHA_12 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#4 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/audit_warn.c#5 $ */ #include @@ -125,6 +125,21 @@ } /* + * Indicate that a trail file has been closed, so can now be post-processed. + */ +int +audit_warn_closefile(char *filename) +{ + char *args[3]; + + args[0] = CLOSEFILE_WARN; + args[1] = filename; + args[2] = NULL; + + return (auditwarnlog(args)); +} + +/* * Indicates that the audit deammn is already running */ int ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#15 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#16 $ */ #include @@ -163,9 +163,11 @@ syslog(LOG_ERR, "Could not rename %s to %s: %m", oldname, lastfile); - else + else { syslog(LOG_INFO, "renamed %s to %s", oldname, lastfile); + audit_warn_closefile(lastfile); + } } free(lastfile); free(oldname); @@ -727,6 +729,8 @@ char naeventstr[NA_EVENT_STR_SIZE]; char polstr[POL_STR_SIZE]; long policy; + au_fstat_t au_fstat; + size_t filesz; /* * Process the audit event file, obtaining a class mapping for each @@ -806,6 +810,17 @@ "Failed to set default audit policy: %m"); } + /* + * Set trail rotation size. + */ + if (getacfilesz(&filesz) == 0) { + bzero(&au_fstat, sizeof(au_fstat)); + au_fstat.af_filesz = filesz; + if (auditon(A_SETFSIZE, &au_fstat, sizeof(au_fstat)) < 0) + syslog(LOG_ERR, "Failed to set filesz: %m"); + } else + syslog(LOG_ERR, "Failed to obtain filesz: %m"); + return (0); } ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#5 $ */ #ifndef _AUDITD_H_ @@ -62,6 +62,7 @@ #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" #define AUDITOFF_WARN "auditoff" +#define CLOSEFILE_WARN "closefile" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" @@ -76,6 +77,7 @@ int audit_warn_allhard(int count); int audit_warn_allsoft(void); int audit_warn_auditoff(void); +int audit_warn_closefile(char *filename); int audit_warn_ebusy(void); int audit_warn_getacdir(char *filename); int audit_warn_hard(char *filename); ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 (text+ko) ==== @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#7 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#8 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -105,12 +105,17 @@ .It Fl o Ar object=value .Bl -tag -width Ds .It Nm file -Select records containing the given path name. -file="/usr" matches paths -starting with -.Pa usr . -file="~/usr" matches paths not starting with -.Pa usr . +Select records containing path tokens, where the pathname matches +one of the comma delimited extended regular expression contained in +given specification. +Regular expressions which are prefixed with a tilde (~) are excluded +from the search results. +These extended regular expressions are processed from left to right, +and a path will either be selected or deslected based on the first match. +.Pp +Since commas are used to delimit the regular expressions, a backslash (\\) +character should be used to escape the comma if it's a part of the search +pattern. .It Nm msgqid Select records containing the given message queue id. .It Nm pid @@ -136,6 +141,30 @@ .Pp .Nm -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Pp +Output from the above command lines will typically be piped to a new trail +file, or via standard output to the +.Xr praudit 1 +command. +.Pp +Select all records containing a path token where the pathname contains +.Pa /etc/master.passwd +.Pp +.Nm +-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +device: +.Pp +.Nm +-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pp +Select all records containing path tokens, where the pathname is a TTY +except for +.Pa /dev/ttyp2 +.Pp +.Nm +-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#8 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#9 $ */ /* @@ -40,6 +40,13 @@ * XXX the records present within the file and between the files themselves */ +#include +#ifdef HAVE_FULL_QUEUE_H +#include +#else +#include +#endif + #include #include @@ -51,9 +58,14 @@ #include #include #include +#include +#include #include "auditreduce.h" +static TAILQ_HEAD(tailhead, re_entry) re_head = + TAILQ_HEAD_INITIALIZER(re_head); + extern char *optarg; extern int optind, optopt, opterr,optreset; @@ -81,10 +93,57 @@ static uint32_t opttochk = 0; static void +parse_regexp(char *re_string) +{ + char *orig, *copy, re_error[64]; + struct re_entry *rep; + int error, nstrs, i, len; + + copy = strdup(re_string); + orig = copy; + len = strlen(copy); + for (nstrs = 0, i = 0; i < len; i++) { + if (copy[i] == ',' && i > 0) { + if (copy[i - 1] == '\\') + strcpy(©[i - 1], ©[i]); + else { + nstrs++; + copy[i] = '\0'; + } + } + } + TAILQ_INIT(&re_head); + for (i = 0; i < nstrs + 1; i++) { + rep = calloc(1, sizeof(*rep)); + if (rep == NULL) { + (void) fprintf(stderr, "calloc: %s\n", + strerror(errno)); + exit(1); + } + if (*copy == '~') { + copy++; + rep->re_negate = 1; + } + rep->re_pattern = strdup(copy); + error = regcomp(&rep->re_regexp, rep->re_pattern, + REG_EXTENDED | REG_NOSUB); + if (error != 0) { + regerror(error, &rep->re_regexp, re_error, 64); + (void) fprintf(stderr, "regcomp: %s\n", re_error); + exit(1); + } + TAILQ_INSERT_TAIL(&re_head, rep, re_glue); + len = strlen(copy); + copy += len + 1; + } + free(orig); +} + +static void usage(const char *msg) { fprintf(stderr, "%s\n", msg); - fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); + fprintf(stderr, "Usage: auditreduce [options] [file ...]\n"); fprintf(stderr, "\tOptions are : \n"); fprintf(stderr, "\t-A : all records\n"); fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); @@ -258,23 +317,20 @@ static int select_filepath(char *path, uint32_t *optchkd) { - char *loc; + struct re_entry *rep; + int match; SETOPT((*optchkd), OPT_of); + match = 1; if (ISOPTSET(opttochk, OPT_of)) { - if (p_fileobj[0] == '~') { - /* Object should not be in path. */ - loc = strstr(path, p_fileobj + 1); - if ((loc != NULL) && (loc == path)) - return (0); - } else { - /* Object should be in path. */ - loc = strstr(path, p_fileobj); - if ((loc == NULL) || (loc != path)) - return (0); + match = 0; + TAILQ_FOREACH(rep, &re_head, re_glue) { + if (regexec(&rep->re_regexp, path, 0, NULL, + 0) != REG_NOMATCH) + return (!rep->re_negate); } } - return (1); + return (match); } /* @@ -328,6 +384,24 @@ return (1); } +static int +select_return32(tokenstr_t tok_ret32, tokenstr_t tok_hdr32, uint32_t *optchkd) +{ + int sorf; + + SETOPT((*optchkd), (OPT_c)); + if (tok_ret32.tt.ret32.status == 0) + sorf = AU_PRS_SUCCESS; + else + sorf = AU_PRS_FAILURE; + if (ISOPTSET(opttochk, OPT_c)) { + if (au_preselect(tok_hdr32.tt.hdr32.e_type, &maskp, sorf, + AU_PRS_USECACHE) != 1) + return (0); + } + return (1); +} + /* * Return 1 if checks for the the following succeed * auid, @@ -395,6 +469,7 @@ static int select_records(FILE *fp) { + tokenstr_t tok_hdr32_copy; u_char *buf; tokenstr_t tok; int reclen; @@ -423,6 +498,8 @@ case AU_HEADER_32_TOKEN: selected = select_hdr32(tok, &optchkd); + bcopy(&tok, &tok_hdr32_copy, + sizeof(tok)); break; case AU_PROCESS_32_TOKEN: @@ -451,6 +528,11 @@ tok.tt.path.path, &optchkd); break; + case AU_RETURN_32_TOKEN: + selected = select_return32(tok, + tok_hdr32_copy, &optchkd); + break; + /* * The following tokens dont have any relevant * attributes that we can select upon. @@ -465,7 +547,6 @@ case AU_IPCPERM_TOKEN: case AU_IPORT_TOKEN: case AU_OPAQUE_TOKEN: - case AU_RETURN_32_TOKEN: case AU_SEQ_TOKEN: case AU_TEXT_TOKEN: case AU_ARB_TOKEN: @@ -500,6 +581,7 @@ if (!strcmp(name, FILEOBJ)) { p_fileobj = val; + parse_regexp(val); SETOPT(opttochk, OPT_of); } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; @@ -679,8 +761,12 @@ argv += optind; argc -= optind; - if (argc == 0) - usage("Filename needed"); + if (argc == 0) { + if (select_records(stdin) == -1) + errx(EXIT_FAILURE, + "Couldn't select records from stdin"); + exit(EXIT_SUCCESS); + } /* * XXX: We should actually be merging records here. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 (text+ko) ==== @@ -26,13 +26,20 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#3 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#4 $ */ #ifndef _AUDITREDUCE_H_ #define _AUDITREDUCE_H_ +struct re_entry { + char *re_pattern; + int re_negate; + regex_t re_regexp; + TAILQ_ENTRY(re_entry) re_glue; +}; + #define OPT_a 0x00000001 #define OPT_b 0x00000002 #define OPT_c 0x00000004 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#18 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#19 $ */ #ifndef _LIBBSM_H_ @@ -78,6 +78,7 @@ #define DIR_CONTROL_ENTRY "dir" #define MINFREE_CONTROL_ENTRY "minfree" +#define FILESZ_CONTROL_ENTRY "filesz" #define FLAGS_CONTROL_ENTRY "flags" #define NA_CONTROL_ENTRY "naflags" #define POLICY_CONTROL_ENTRY "policy" @@ -719,6 +720,7 @@ void endac(void); int getacdir(char *name, int len); int getacmin(int *min_val); +int getacfilesz(size_t *size_val); int getacflg(char *auditstr, int len); int getacna(char *auditstr, int len); int getacpol(char *auditstr, size_t len); ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#14 (xtext) ==== @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#31 . +# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11. +# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12. # # Report bugs to . # @@ -424,8 +424,8 @@ # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.0a11' -PACKAGE_STRING='OpenBSM 1.0a11' +PACKAGE_VERSION='1.0a12' +PACKAGE_STRING='OpenBSM 1.0a12' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -955,7 +955,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1021,7 +1021,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.0a11:";; + short | recursive ) echo "Configuration of OpenBSM 1.0a12:";; esac cat <<\_ACEOF @@ -1162,7 +1162,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.0a11 +OpenBSM configure 1.0a12 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1176,7 +1176,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.0a11, which was +It was created by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -19278,7 +19278,7 @@ # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.0a11 + VERSION=1.0a12 cat >>confdefs.h <<_ACEOF @@ -23479,7 +23479,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by OpenBSM $as_me 1.0a11, which was +This file was extended by OpenBSM $as_me 1.0a12, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23542,7 +23542,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenBSM config.status 1.0a11 +OpenBSM config.status 1.0a12 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 (text+ko) ==== @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#14 $]) +AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#15 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 $ +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#7 $ # $FreeBSD: src/contrib/openbsm/etc/audit_control,v 1.2 2006/03/26 01:44:35 rwatson Exp $ # dir:/var/audit @@ -7,3 +7,4 @@ minfree:20 naflags:lo policy:cnt +filesz:0 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 $ +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#17 $ # $FreeBSD: src/contrib/openbsm/etc/audit_event,v 1.3 2006/06/27 18:09:54 rwatson Exp $ # 0:AUE_NULL:indir system call:no @@ -419,6 +419,10 @@ 43114:AUE_KENV:kenv(8):ad 43115:AUE_JAIL_ATTACH:jail_attach(2):ad 43116:AUE_SYSCTL_WRITE:sysctl(3):ad +43117:AUE_IOPERM:linux ioperm:ad +43118:AUE_READDIR:readdir(3):no +43119:AUE_IOPL:linux iopl:ad +43120:AUE_VM86:linux vm86:pc # # User space system events. # ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 (text+ko) ==== @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#6 $ .\" .Dd April 19, 2005 .Dt AU_CONTROL 3 @@ -33,6 +33,7 @@ .Nm endac , .Nm getacdir , .Nm getacmin , +.Nm getacfilesz , .Nm getacflg , .Nm getacna , .Nm getacpol , @@ -52,6 +53,8 @@ .Ft int .Fn getacmin "int *min_val" .Ft int +.Fn getacfilesz "size_t *size_val" +.Ft int .Fn getacflg "char *auditstr" "int len" .Ft int .Fn getacna "char *auditstr" "int len" @@ -88,6 +91,10 @@ .Va min_val variable. .Pp +.Fn getacfilesz +returns the audit trail rotation size in the passed size_t buffer +.Fa size_val . +.Pp .Fn getacflg returns the audit system flags via the the passed character buffer .Va auditstr ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 (text+ko) ==== @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#10 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#11 $ */ #include @@ -396,6 +396,46 @@ } /* + * Return the desired trail rotation size from the audit control file. + */ +int +getacfilesz(size_t *filesz_val) +{ + char *filesz, *dummy; + long long ll; + + pthread_mutex_lock(&mutex); + setac_locked(); + if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) { + pthread_mutex_unlock(&mutex); + return (-2); + } + if (filesz == NULL) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (1); + } + ll = strtoll(filesz, &dummy, 10); + if (*dummy != '\0') { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + /* + * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE. 0 + * indicates no rotation size. + */ + if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) { + pthread_mutex_unlock(&mutex); + errno = EINVAL; + return (-1); + } + *filesz_val = ll; + pthread_mutex_unlock(&mutex); + return (0); +} + +/* * Return the system audit value from the audit contol file. */ int ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 (text+ko) ==== @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#8 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#9 $ .\" .Dd April 19, 2005 .Dt LIBBSM 3 @@ -84,6 +84,7 @@ .Xr endac 3 , .Xr setac 3 , .Xr getacdir 3 , +.Xr getacfilesz 3 , .Xr getacflg 3 , .Xr getacmin 3 , .Xr getacna 3 , ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 (text+ko) ==== @@ -1,4 +1,5 @@ .\" Copyright (c) 2004 Apple Computer, Inc. +.\" Copyright (c) 2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +26,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#8 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#9 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -66,6 +67,12 @@ .It Va policy A list of global audit policy flags specifying various behaviors, such as fail stop, auditing of paths and arguments, etc. +.It Va filesz +Maximum trail size in bytes; if set to a non-0 value, the audit daemon will +rotate the audit trail file at around this size. +Sizes less than the minimum trail size (default of 512K) will be rejected as +invalid. +If 0, trail files will not be automatically rotated based on file size. .El .Sh AUDIT FLAGS Audit flags are a comma-delimited list of audit classes as defined in the @@ -78,12 +85,14 @@ The following prefixes may be used for each class: .Pp .Bl -tag -width Ds -compact -offset indent +.It (none) +Record both successful and failed events .It + Record successful events .It - Record failed events .It ^ -Record both successful and failed events +Record neither successful nor failed events .It ^+ Do not record successful events .It ^- @@ -146,6 +155,7 @@ minfree:20 naflags:lo policy:cnt +filesz:0 .Ed .Pp The @@ -156,7 +166,8 @@ .Va policy parameter specifies that the system should neither fail stop nor suspend processes when the audit store fills. -will be audited. +The trail file will not be automatically rotated by the audit daemon based on +file size. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#28 $ + * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_kevents.h#29 $ * $FreeBSD: src/sys/bsm/audit_kevents.h,v 1.7 2006/08/26 08:17:58 rwatson Exp $ */ @@ -471,6 +471,10 @@ #define AUE_KENV 43114 /* FreeBSD. */ #define AUE_JAIL_ATTACH 43115 /* FreeBSD. */ #define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */ +#define AUE_IOPERM 43117 /* Linux. */ +#define AUE_READDIR 43118 /* Linux. */ +#define AUE_IOPL 43119 /* Linux. */ +#define AUE_VM86 43120 /* Linux. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the